An All-Star Panel on Cybersecurity

The former Chairman of the Joint Chiefs of Staff, Admiral Mike Mullen, characterized “cyber” as an “existential threat to the United States of America” in a recent issue of Fortune Magazine:

The challenge for me and many other leaders is to really understand it….We are vulnerable in the military and in our governments, but I think we’re most vulnerable to cyberattacks commercially. This challenge is going to significantly increase….The potential is to shut down our transportation system, shut down our banking system, shut down other infrastructure in our country, and essentially bring us to parade rest.

Shortly after he made that statement, we learned about Flame: a 20-megabyte computer virus that contains 20 times more code than the much-discussed Stuxnet virus, it evaded detection for five years and, according to researchers at the Kaspersky Lab, could have infected over a thousand computers across the Middle East. Flame has fanned the flames (I couldn’t resist) of the debate over cybersecurity: while the Washington Post just ran a special report, “Zero Day: The Threat in Cyberspace,” ABC News investigative producer Lee Ferran argues that “human carelessness” is more responsible for cyberthreats than technical advances: “no matter how sophisticated the attack or how capable the defenses, the weakest link in cybersecurity is often the human at the keyboard.”

So how worried should we be? To analyze Admiral Mullen’s argument—and consider issues of cybersecurity more broadly—I spoke to several leading figures:

It’s important to deconstruct cyberthreats into a spectrum of threats, rigorously analyzing each on the basis of its likelihood and impact.

How one assesses the risks of those threats depends in part on one’s willingness to extrapolate: that is, to infer from that which we can observe and verify that there’s much more occurring that we can neither observe nor verify. Recall former Secretary of Defense Donald Rumsfeld’s distinction between “known knowns,” “known unknowns,” and “unknown unknowns.”

POWER GAMES: How would you respond to Admiral Mullen’s statement?

ARQUILLA: Cyberattack, at its worst, poses the threat of “mass disruption.” This could prove costly, in economic terms, and could lead to battlefield losses if the information systems upon which our troops rely are disrupted in the middle of a fight. But all this pales in comparison to the threat posed by weapons of mass destruction—nukes, bugs, and poisons. Cyber is bad, but does not pose an “existential threat.”

CARR: I partially agree…No one has produced an accurate threat assessment on this topic, so Admiral Mullen isn’t really speaking from a base set of verifiable facts. What he describes is more of a potential threat on a broad scale. If, on the other hand, he focused solely on the threats to specific industries like defense contracting, energy, artificial intelligence, research and development, and other specific high-value sectors, I’d agree with him 100%.

LIN: It depends on what you mean by “existential.” An existential threat is one that, if not countered, could threaten the existence of the United States as we know it today…In the short term, is there a cyberthreat that could threaten the existence of the United States as we know it today? Sure. Imagine a powerful nuclear electromagnetic pulse weapon detonated above the horizon of much of the United States. Such a weapon could totally fry most of the existing electronic infrastructure (that is, all computer and communications technology, both standalone and embedded in devices) on which we rely today. Such a weapon might shut down the nation’s power grid and damage much of our ability to recover.

In the long term, is there a threat that could threaten the existence of the United States as we know it today? Sure, and it does not even have to be a cyberthreat. The United States has the world’s dominant economy today, and exerts enormous economic power and influence around the world….such leadership cannot be taken for granted, and we do have economic competitors today….A threat to U.S. economic dominance could be regarded as existential, and there I would say that the United States does face an existential threat in the long run [from China].

Cyber, of course, plays into this threat: economic espionage against the United States gives other nations advantages over us in any economic competition, and we know that much of the economic espionage against us is committed using cyber means. The notion that cyber plays into an economic threat against the United States is consistent with Admiral Mullen’s statement…that “we’re most vulnerable to cyberattacks commercially.” On the other hand…the United States does not conduct espionage against other nations for the benefit of private U.S. companies. So to some extent, we have chosen to tie one hand behind our backs. There are other scenarios that are sometimes offered, such as a cyberattack that shuts down the U.S. electric power grid for months at a time. That would be a very bad outcome, and is also arguably [an] existential [threat]. But…there are two relevant points. First, this would be very hard to do….Second, there are other, non-cyber ways to achieve the same effect, and the key point here is that we don’t do very much to protect against those other non-cyber ways either.

RID: Unless he comes forward with more detail, which I frankly doubt he can—either because he doesn’t have it or, far less likely, because it’s classified—I would dismiss this statement.

ROOSENRAAD: My main response…is to nod and wonder what took the U.S. military this long to acknowledge the importance of the Internet. The Internet has become a critical part of the world economy, and that obviously means the U.S. economy as well. The purpose of the U.S. military is to protect the country’s interests around the world, so it’s inevitable that they’ll look to do so on the Internet….From a state-versus-state point of view, I agree [that “[t]his challenge is going to significantly increase”].

Over the last few years, we’ve seen a rather radical change in the world of online malware, bots, and other threats that has grown from individuals into gangs and now into…a whole shadow economy, with criminals and criminal gangs that specialize in specific areas. One expects that state-backed activities will similarly evolve from individual actions into large-scale programs, with strategic goals, centralized programs, large budgets, and other conventions….Admiral Mullen is right that commercial entities are being attacked, but I’d contest the statement that industry as a whole is more vulnerable than the military or the government. While industry approaches to cyberprotection vary from company to company, I think you’ll find that many large corporations are quite far along with their defenses against attacks, since they are aware that companies are being attacked every day.

WOODCOCK: There are two factors that make the United States particularly vulnerable to cyberattacks. First is the degree to which we, as a country, are willing to make enemies of arbitrary people in random parts of the world, for no reason or gain….Second, for us, cyber is an asymmetric risk. That is, we have far more to lose in a cyberconflict than most countries do, because so much of our economy is dependent upon the Internet…By militarizing cyberspace, we place at risk something that we hold dearer than do our adversaries. I remember thinking this when we used the BLU-114 graphite fiber bombs [according to GlobalSecurity.org, “special-purpose munition[s] for attacking electrical power infrastructure”] in Bosnia: it might have been painful for them, but it would have been utterly crippling if it had been used in the U.S., and it was an idea that we really shouldn’t have put out in the world. And, of course, all of this affects us commercially. The Internet is private-sector.

ZUCKERMAN: Many of the doomsday scenarios that are cited fail to distinguish between Internet-based systems and non-Internet-based control systems. The Stuxnet worm was the first clear piece of evidence that attacks could cross that barrier. It was a “proof of concept,” but not the norm. In fact, it was a pretty clever, even miraculous, attack….I’m scared of DDoS [distributed denial-of-service attacks] and malware, and a little less scared of the possibility that people will break the barrier that I mentioned earlier. We should spend more time being scared of that which we know is happening than that which could theoretically be happening.

When computer-security folks say that they see little justification for the doomsday scenarios, military officials often respond: “You don’t know what’s out there.” I call that response “security through obscurity.” How are we supposed to respond if we can’t see the evidence—if there even is evidence—for the dire threat assessments? The reality is that the Internet has more or less worked even though it has enormous insecurities. As recently as a decade ago, some people seriously thought that it would collapse under the weight of spam. Then it was phishing [attempts to steal sensitive information over e-mail by pretending to be a trustworthy source] that would be an apocalypse. The truth is that there are gangs of geeks out there working very hard to fix the Internet’s security gaps. They get very little press, partly because they don’t seek it, and partly because it’s sexier to say that the sky is falling than to say that we’re chipping away at those gaps.

PG: Why do assessments of cyberthreats vary so significantly among analysts? While some argue that those threats are serious and poised to increase, others contend that they’re exaggerated and well within our ability to manage.

ARQUILLA: Those who see less of a threat tend to view the absence of a “Digital Pearl Harbor” as a sign that it is unlikely that there will ever be one. Others of us (I am one of them) look at actual vulnerabilities—as demonstrated in real-world events and rigorous exercises—and worry that thinking enemies will soon make the virtual domain a theater of war and target for terror.

CARR: Because most of them occur below the radar. Most companies have no idea that they’re losing data or have unauthorized users crawling their networks. So we extrapolate…from what we do discover to cover those [threats] that we presume must also be happening which haven’t been discovered. That’s fine if the person making the estimate sticks to high-value industries, but often that’s not the case. Instead, people see something in the news about China, and all of a sudden EVERYTHING is about China. Or they read about a high-profile cyberattack and extrapolate from that that ALL companies have been breached. That’s a completely inane point of view, but the media eats it up because it makes for an exciting headline and expanded readership.

LIN: I’d argue that both kinds of analysts are right. That is, cyberthreats are serious and poised to increase, but…they are (sometimes) exaggerated and well within our ability to manage. Whether they are within our WILL to manage is a different point. For all of the expressed concern about cybersecurity, few people seem to be willing to pay very much (in dollars or effort or convenience) to fix those problems. If we as a nation would actually implement what we have the knowledge and the technology to do, our cybersecurity posture would be much stronger than it is now.

WOODCOCK: The future is unknowable, and people are very bad at quantifying risk. Some people consider what’s possible, while others consider what’s likely. Some people think that what’s possible will happen eventually, while the temporally egocentric assume that anything that’s possible will occur while they’re alive. Personally, I’m an optimist, and believe that people are, by and large, good, and it doesn’t occur to them to actually do the terrible things that other people know are possible. Perfect security is impossible, yet planes and buildings are not blowing up, because most people are rational and well-intentioned most of the time, and it’s neither nice nor useful to blow up planes. I think there are many more inventive, pessimistic, paranoid people than there are inventive, sociopathic, motivated people. Thus, people invent and worry about scenarios that are far worse than any that will actually be carried out in our lifetimes.

PG: When individuals discuss cyberthreats, to what are they generally referring? Cybercrime? Cyberattacks? Cyberterrorism? Cyberwar? How important are the distinctions between those categories?

ARQUILLA: Cyberwar has many faces. “Cybotage” can be used to gum up the works—think Stuxnet. Cybersnooping is a key aspect of modern intelligence, as is industrial espionage, the latter being a cause of the hemorrhaging of American intellectual property today. Cyberwar has made an appearance on the battlefield—think the Russian use of cyberattacks on Georgia’s information systems during the 2008 war, which contributed to the quick overrun of the latter’s forces in the field. Terrorists haven’t yet gotten up to speed in the cyber realm, probably because it takes time to develop top-flight hackers, and terrorists are reluctant to recruit cyber mercenaries (they might be working for us, like the double agent who infiltrated the Al Qaeda cell in Yemen).

CARR: There are two big categories of cyberthreats: cybercrime against banks and cyberespionage against high-value industries. Much rarer are acts of cyberwarfare, which we saw during the Russia-Georgia war in 2008 and the Israel-Hamas conflict (Operation Cast Lead) in January 2009. There has never been a single act of cyberterrorism, although I expect to see that start to happen in another three to five years as radical groups become confident about the havoc that they could potentially create via cyberattacks.

HYPPONEN: One of the key problems we have in understanding this issue is the lack of understanding of the differences between different threats. Some of these attacks (and attackers) have nothing to do with each other, yet we seem to refer to them as one and the same. A criminal who wants to steal your credit card information has nothing to do with an activist who wants to DDoS a corporate website as a protest. And neither of them has anything to do with a government employee launching cyberespionage attacks to steal classified information of foreign nations. All of these happen all the time. They have nothing to do with each other and cannot be solved with a single solution.

LIN: Everything in the media is [treated as] a cyberattack, and it masks important distinctions. Stealing information is a different kind of threat than destroying computers, and the public debate would be much saner if we distinguished between them.

ROOSENRAAD: One of the larger issues we have in the cybersecurity/Internet security/anti-spam/anti-bot/etc. industry…is the lack of a good common vocabulary. While this can sometimes just be annoying…the different terminology can actually hold back the fight against the Internet “bad guys.” There are very few organizations that can fight online threats on their own, and this means we need to share data and collaborate….But in order to work together, you need to be able to communicate. You need…a common lexicon.

WOODCOCK: These distinctions are very meaningful, and…[these categories are] far too often lumped together, in the way that people who don’t actually understand something will abstract it and refer to it as a cloud or a black box. Cybercrime is crime, some or all of which is executed online, but what’s interesting about it is that it’s crime, and that it’s the responsibility of law enforcement to investigate and prosecute it, to deter future crime. Cyberattack is a generalization of no great utility. Cyberterrorism is a boogeyman that’s possible, but doesn’t actually exist, and may not come to pass in our lifetimes. Cyberwarfare encompasses both cyberdefense, which is just good sense, and cyberoffense, which is cybercrime committed by governments. So each is a different thing with different actors: some individuals, some corporations, some governments, and others that are mythical or hypothetical….Abstractions and understanding by analogy…aren’t sufficient to guide action in this space.

ZUCKERMAN: DDoS has escalated to a serious problem for small web players and could possibly be very worrisome for mid-level government agencies. We’ve seen a high, growing level of attacks—particularly originating from the Chinese activist community—that systematically target the communication channels of human-rights NGOs. Do these attacks constitute cyberharrassment? Yes. Cyberespionage? Maybe. But cyberwar? No. War kills people.

Push Past Negative Self-Talk: Give Yourself the Proper Fuel to Attack the World, with David Goggins, Former NAVY SealIf you've ever spent 5 minutes trying to meditate, you know something most people don't realize: that our minds are filled, much of the time, with negative nonsense. Messaging from TV, from the news, from advertising, and from difficult daily interactions pulls us mentally in every direction, insisting that we focus on or worry about this or that. To start from a place of strength and stability, you need to quiet your mind and gain control. For former NAVY Seal David Goggins, this begins with recognizing all the negative self-messaging and committing to quieting the mind. It continues with replacing the negative thoughts with positive ones.

Dramatic and misleading

Over the course of no more than a decade, America has radically switched favorites when it comes to cable news networks. As this sequence of maps showing TMAs (Television Market Areas) suggests, CNN is out, Fox News is in.

The maps are certainly dramatic, but also a bit misleading. They nevertheless provide some insight into the state of journalism and the public's attitudes toward the press in the US.

Let's zoom in:

It's 2008, on the eve of the Obama Era. CNN (blue) dominates the cable news landscape across America. Fox News (red) is an upstart (°1996) with a few regional bastions in the South.

By 2010, Fox News has broken out of its southern heartland, colonizing markets in the Midwest and the Northwest — and even northern Maine and southern Alaska.

Two years later, Fox News has lost those two outliers, but has filled up in the middle: it now boasts two large, contiguous blocks in the southeast and northwest, almost touching.

In 2014, Fox News seems past its prime. The northwestern block has shrunk, the southeastern one has fragmented.

Energised by Trump's 2016 presidential campaign, Fox News is back with a vengeance. Not only have Maine and Alaska gone from entirely blue to entirely red, so has most of the rest of the U.S. Fox News has plugged the Nebraska Gap: it's no longer possible to walk from coast to coast across CNN territory.

By 2018, the fortunes from a decade earlier have almost reversed. Fox News rules the roost. CNN clings on to the Pacific Coast, New Mexico, Minnesota and parts of the Northeast — plus a smattering of metropolitan areas in the South and Midwest.

"Frightening map"

This sequence of maps, showing America turning from blue to red, elicited strong reactions on the Reddit forum where it was published last week. For some, the takeover by Fox News illustrates the demise of all that's good and fair about news journalism. Among the comments?

"The end is near."

"The idiocracy grows."

"(It's) like a spreading disease."

"One of the more frightening maps I've seen."

For others, the maps are less about the rise of Fox News, and more about CNN's self-inflicted downward spiral:

"LOL that's what happens when you're fake news!"

"CNN went down the toilet on quality."

"A Minecraft YouTuber could beat CNN's numbers."

"CNN has become more like a high-school production of a news show."

Not a few find fault with both channels, even if not always to the same degree:

"That anybody considers either of those networks good news sources is troubling."

"Both leave you understanding less rather than more."

"This is what happens when you spout bullsh-- for two years straight. People find an alternative — even if it's just different bullsh--."

"CNN is sh-- but it's nowhere close to the outright bullsh-- and baseless propaganda Fox News spews."

"Old people learning to Google"

Image: Google Trends

CNN vs. Fox News search terms (200!-2018)

But what do the maps actually show? Created by SICResearch, they do show a huge evolution, but not of both cable news networks' audience size (i.e. Nielsen ratings). The dramatic shift is one in Google search trends. In other words, it shows how often people type in "CNN" or "Fox News" when surfing the web. And that does not necessarily reflect the relative popularity of both networks. As some commenters suggest:

"I can't remember the last time that I've searched for a news channel on Google. Is it really that difficult for people to type 'cnn.com'?"

"This is a map of how old people and rural areas have learned to use Google in the last decade."

"This is basically a map of people who don't understand how the internet works, and it's no surprise that it leans conservative."

A visual image as strong as this map sequence looks designed to elicit a vehement response — and its lack of context offers viewers little new information to challenge their preconceptions. Like the news itself, cartography pretends to be objective, but always has an agenda of its own, even if just by the selection of its topics.

The trick is not to despair of maps (or news) but to get a good sense of the parameters that are in play. And, as is often the case (with both maps and news), what's left out is at least as significant as what's actually shown.

One important point: while Fox News is the sole major purveyor of news and opinion with a conservative/right-wing slant, CNN has more competition in the center/left part of the spectrum, notably from MSNBC.

Another: the average age of cable news viewers — whether they watch CNN or Fox News — is in the mid-60s. As a result of a shift in generational habits, TV viewing is down across the board. Younger people are more comfortable with a "cafeteria" approach to their news menu, selecting alternative and online sources for their information.

Master Execution: How to Get from Point A to Point B in 7 Steps, with Rob Roy, Retired Navy SEALUsing the principles of SEAL training to forge better bosses, former Navy SEAL and founder of the Leadership Under Fire series Rob Roy, a self-described "Hammer", makes people's lives miserable in the hopes of teaching them how to be a tougher—and better—manager. "We offer something that you are not going to get from reading a book," says Roy. "Real leaders inspire, guide and give hope."Anybody can make a decision when everything is in their favor, but what happens in turbulent times? Roy teaches leaders, through intense experiences, that they can walk into any situation and come out ahead. In this lesson, he outlines seven SEAL-tested steps for executing any plan—even under extreme conditions or crisis situations.